Evidence Collection in Peer-To-Peer Network Investigations Teja Myneedu, Yong Guan

Evidence Collection in Peer-To-Peer Network Investigations Teja Myneedu, Yong Guan

Evidence Collection in Peer-to-Peer Network Investigations Teja Myneedu, Yong Guan To cite this version: Teja Myneedu, Yong Guan. Evidence Collection in Peer-to-Peer Network Investigations. 8th In- ternational Conference on Digital Forensics (DF), Jan 2012, Pretoria, South Africa. pp.215-230, 10.1007/978-3-642-33962-2_15. hal-01523704 HAL Id: hal-01523704 https://hal.inria.fr/hal-01523704 Submitted on 16 May 2017 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Distributed under a Creative Commons Attribution| 4.0 International License Chapter 15 EVIDENCE COLLECTION IN PEER-TO-PEER NETWORK INVESTIGATIONS Teja Myneedu and Yong Guan Abstract Peer-to-peer (P2P) file sharing networks are often abused to distribute content that is prohibited by law. Strong evidence of suspicion must be provided to obtain a court order to identify the location of an offender. However, initial evidence collection from a P2P network is a challenge due to the lack of a central point of control and the dynamic nature of the network. This paper describes an initial evidence collection tool for P2P network forensics. The tool performs active and passive monitor- ing by inserting a modified peer node in a P2P network that records relevant information about nodes that distribute contraband files. It logs data sent by suspicious nodes along with timestamps and unique identification information, which provides a strong, verifiable body of initial evidence. Keywords: Peer-to-peer networks, evidence collection 1. Introduction The distribution of child pornography is one of several criminal activ- ities that are carried out in peer-to-peer (P2P) networks. A Government Accountability Agency (GAO) report noted that 42% of the search re- sults using child-pornography-related keywords yielded P2P files [5]. A Palisade Systems survey discovered that more than 40% of the 40,000 queries issued in Gnutella over a three-week period were for adult or child pornography [7]. The prevalence of this illegal content and its easy access are troubling. Law enforcement has to be particularly cautious when investigating illegal P2P file sharing activities. Evidence must be verified at every level to build a strong case and to ensure that innocent individuals are 216 ADVANCES IN DIGITAL FORENSICS VIII not falsely implicated. An example is the Interhack investigation where a teenager was accused of possessing child pornography [14]. An outside investigator used login and file access timestamps recorded by the op- erating system to prove that the contraband files were downloaded by malware instead of by the teenager. A critical step in a P2P network investigation is the correct identifi- cation of the IP address and the physical location of the computer that was used to distribute contraband files. This paper describes an evidence collection tool designed for real-world P2P networks. The tool supports the Gnutella2 protocol [6], which uses a hierarchy of nodes to implement an efficient search mechanism. The tool can be used to uniquely identify P2P nodes based on their IP addresses and globally unique identifiers (GUIDs). Also, the tool can collect critical information such as the con- traband files associated with a keyword and the nodes in a P2P network that share a particular file. 2. Background A P2P protocol defines the network maintenance and search mecha- nisms for connecting nodes and locating and transferring files. A P2P network investigation involves the monitoring of the network topology and the messages exchanged between nodes to obtain information about contraband files that are being shared. Monitoring can occur at the network layer and/or at the application layer. In general, monitoring can be classified as active monitoring or passive monitoring. Our work builds on the P2P traffic monitoring study of Hughes, et al. [11], which did not consider passive application-level monitoring. 2.1 Passive Network-Level Monitoring Passive network-level monitoring records TCP/IP packets by posi- tioning agents at appropriate locations in the physical network infras- tructure. The agents capture data in a manner that is transparent to the underlying network. The positioning of data collection agents is critical. For example, placing an agent at the gateway of a large network enables the recording of all traffic routed to nodes in the network. On the other hand, placing an agent in a network segment of a switched LAN only enables the recording of traffic associated with a single node. An important requirement in performing passive network-level mon- itoring is effective traffic classification. In addition to distinguishing between non-P2P traffic and P2P traffic, the different types of P2P traf- fic should be classified [17]. Saroiu, et al. [18] and Gummadi, et al. [8] identified traffic by port number and header data, respectively. Sen, Myneedu & Guan 217 et al. [20] have used “application signatures” to classify real-time net- work traffic. Iliofotou, et al. [13] have proposed a dispersion graph based approach to classify different types of network traffic. These studies have found that passive network-level monitoring is transparent, but it introduces additional overhead for effective traffic classification. If the payload is encrypted, little can be done after the traffic is classified. Also, access to key segments of the network infras- tructure such as Internet service provider gateways is required, but such access may not be available. 2.2 Active Network-Level Monitoring Active network-level monitoring injects packets into a network or marks packets near a source node and looks for the marked packets near a destination node. This method cannot be used for evidence collection because introducing content into a network raises questions about the validity of the collected evidence. 2.3 Passive Application-Level Monitoring Passive application-level monitoring involves the introduction of a modified client in a network. The modified client participates in reg- ular message exchanges with its neighbors and logs messages (e.g., net- work maintenance and search messages) received from its neighbors. In general, passive application-level monitoring is transparent to a P2P network. Passive application-level monitoring records all incoming and outgoing messages between the client and its neighbors. Passive application-level monitoring has been conducted in the Gnutella [1, 9, 10] and eDonkey [2, 3] networks. Passive application-level monitoring is suitable when a non-invasive approach is desired. Unfortunately, due to the small-world properties of modern P2P networks [1], a single client cannot collect pervasive information about all the nodes in a P2P network. Attempts to address this problem include disconnecting and reconnecting the client randomly to increase its coverage [2], and using multiple modified clients [3]. 2.4 Active Application-Level Monitoring Active application-level monitoring deploys a modified client in a P2P network that actively queries the network to collect as much information as possible. In passive monitoring at the application level, only the messages that the client exchanges with its neighbors or receives from 218 ADVANCES IN DIGITAL FORENSICS VIII remote clients are logged. However, in the case of active monitoring, the client sends queries to nodes in the network to collect information about them. Also, the modified client connects to a large number of neighbors and repeatedly reconnects to different nodes in the network to cover as much of the network as possible. A crawler program was used by Saroiu, et al. [19] over a period of one month to obtain information from a Gnutella network. The crawler recorded low-level data such as IP addresses and bandwidth, and high- level data about the files being shared. Chu, et al. [4] have observed that file popularity is highly skewed with the top 10% of files accounting for more than 50% of the shared files. Active application-level monitoring can gather a large amount of in- formation about remote nodes in a network within a short period of time, but at the expense of transparency. Since this type of monitoring is very noisy and intrusive, it can result in nodes being blacklisted and being unable to connect to the network. Active monitoring at the ap- plication level can be very effective, especially if intrusiveness is not a factor and global network information is required. 2.5 Evidence Collection in P2P Networks Latapy, et al. [15] conducted a large-scale passive application-level tracing and extraction of child pornography keywords in a P2P net- work. Liberatore, et al. [16] developed a BitTorrent monitoring system for forensic evidence collection that uses GUID information for evidence validation. However, both these efforts did not address the problem of obtaining information about new keywords and files during the initial stages of a P2P network investigation. Also, they did not examine the differences between popular files and less popular files when monitoring P2P networks. 3. P2P Networks P2P networks can be broadly classified based into three categories based on their topology: (i) centralized networks; (ii) completely decen- tralized networks; and (iii) semi-centralized networks. In a centralized network, one central index/directory server maintains a list of all active/live nodes in the network. Nodes that wish to join the network send information about themselves to the central index server. Since the nodes are dependent on the central server for communications, a centralized network is not a pure P2P network. The popular BitTorrent P2P network is an example of a centralized network.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    17 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us